GHSA-553q-hpvp-q8pc

Source

https://github.com/advisories/GHSA-553q-hpvp-q8pc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-553q-hpvp-q8pc/GHSA-553q-hpvp-q8pc.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-553q-hpvp-q8pc

Aliases

CVE-2021-4075

Published

2021-12-10T20:22:15Z

Modified

2023-11-01T04:56:21.228186Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Server-Side Request Forgery in snipe/snipe-it

Details

Admin users on the external network can perform blind POST-based SSRF (issue requests on behalf of the server into the internal network) via the Slack Integration. This vulnerability is capable of port-scanning of the internal network, issue POST requests to web servers on the internal network which can be escalated to higher-impact.

Database specific

{
    "cwe_ids": [
        "CWE-918"
    ],
    "nvd_published_at": "2021-12-06T21:15:00Z",
    "github_reviewed_at": "2021-12-07T21:24:53Z",
    "github_reviewed": true,
    "severity": "HIGH"
}

References

Affected packages

Packagist / snipe/snipe-it

Package

Name: snipe/snipe-it
Purl: pkg:composer/snipe/snipe-it

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.0-GM

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.2.0

v0.3.0-alpha

v0.3.7-alpha

v0.3.8-alpha

v0.3.9-alpha

v0.3.10-alpha

v0.3.11-alpha

v1.*

v1.0

v1.1

v1.2.0

v1.2.1

v1.2.2

v1.2.3-beta

v1.2.3

v1.2.4-beta

v1.2.4

v1.2.5

v1.2.6-beta

v1.2.6

v1.2.6.1

v1.2.7-beta

v1.2.7

v1.2.8

v1.2.9

v1.2.10

v1.2.11

v2.*

v2.0-beta

v2.0-RC-1

v2.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.1.0

v2.1.1

v2.1.2

v3.*

v3.0-alpha

v3.0-alpha2

v3.0-beta.1

v3.0-beta.2

v3.0-beta.3

v3.0

v3.0.0-beta

v3.1.0

v3.3.0-beta

v3.3.0

v3.4

v3.4.0-alpha

v3.4.0-beta

v3.5.0-beta

v3.5.0-beta2

v3.5.0

v3.5.1

v3.5.2

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.6.5

v3.6.6

3.*

3.2.0

Other

v4-beta3

v4-beta4

v4.*

v4.0-alpha

v4.0-alpha-2

v4.0-beta

v4.0-beta2

v4.0-beta5

v4.0-beta6

v4.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.0.10

v4.0.11

v4.0.12

v4.0.13

v4.0.14

v4.0.15

v4.1.0-beta

v4.1.0-beta2

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1.10

v4.1.11

v4.1.12

v4.1.13

v4.1.14

v4.2.0

v4.3.0

v4.4.0

v4.4.1

v4.5.0

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.6.6

v4.6.7

v4.6.8

v4.6.9

v4.6.10

v4.6.11

v4.6.12

v4.6.13

v4.6.14

v4.6.15

v4.6.16

v4.6.17

v4.6.18

v4.7.0

v4.7.1

v4.7.2

v4.7.3

v4.7.4

v4.7.5

v4.7.6

v4.7.7

v4.7.8

v4.8.0

v4.9.0

v4.9.1

v4.9.2

v4.9.3

v4.9.4

v4.9.5

v5.*

v5.0.0-beta-1.0

v5.0.0-beta-1.1

v5.0.0-beta-2

v5.0.0-beta-3.0

v5.0.0-beta-4

v5.0.0-beta-5

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v5.0.10

v5.0.11

v5.0.12

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.1.7

v5.1.8

v5.2.0

v5.3.0

v5.3.1

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.3.6

v5.3.7

v5.3.8

v5.3.9

v5.3.10

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.4.4

Database specific

last_known_affected_version_range

"<= 5.3.3"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-553q-hpvp-q8pc/GHSA-553q-hpvp-q8pc.json"